NIST 800-171 compliance was required in 2017 but work arounds were created. The 2020 SolarWinds ORION Supply Chain Attack highlighted the weaknesses those work arounds opened. Now, the US Department of Defense is implementing the Cybersecurity Maturity Model Certification (CMMC) to normalize and standardize cybersecurity preparedness across the federal government’s defense industrial base (DIB).
This demands the Government know the level of compliance that exists at each company. The results are not good
Though not due until 2025, CMMC has no work-arounds. You either “are” or “aren’t.” If you are not CMMC then you cannot do DoD work. CMMC compliance is to begin to appear in DoD contracts starting in Fall 2021, Winter 2022. If a company is not CMMC ready they will not be considered for the work.
From his long CISO and government agency experience, as well as his recent consulting engagements, EJ Hilbert has developed a body of knowledge on this subject, which he will share with the Data Connectors Cybersecurity Community for the first time at the Chicago Virtual Cybersecurity Summit on April 20th.